Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Default to dual stack if both A/AAAA records are available. #1927

Open
wants to merge 1 commit into
base: 3.2
Choose a base branch
from
Open

Default to dual stack if both A/AAAA records are available. #1927

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
64 changes: 43 additions & 21 deletions testssl.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -183,7 +183,8 @@ FNAME_PREFIX=${FNAME_PREFIX:-""} # output filename prefix, see --outprefi
APPEND=${APPEND:-false} # append to csv/json/html/log file
OVERWRITE=${OVERWRITE:-false} # overwriting csv/json/html/log file
[[ -z "$NODNS" ]] && declare NODNS # If unset it does all DNS lookups per default. "min" only for hosts or "none" at all
HAS_IPv6=${HAS_IPv6:-false} # if you have OpenSSL with IPv6 support AND IPv6 networking set it to yes
HAS_IPv6=${HAS_IPv6:-true} # if you have OpenSSL with IPv6 support AND IPv6 networking set it to yes
HAS_IPv4=${HAS_IPv4:-true} # if IPv4 networking is present, set to false eg on NAT64 or IPv6-only networks
ALL_CLIENTS=${ALL_CLIENTS:-false} # do you want to run all client simulation form all clients supplied by SSLlabs?
OFFENSIVE=${OFFENSIVE:-true} # do you want to include offensive vulnerability tests which may cause blocking by an IDS?
ADDTL_CA_FILES="${ADDTL_CA_FILES:-""}" # single file with a CA in PEM format or comma separated lists of them
Expand Down Expand Up @@ -19417,7 +19418,8 @@ tuning / connect options (most also can be preset via environment variables):
--ssl-native fallback to checks with OpenSSL where sockets are normally used
--openssl <PATH> use this openssl binary (default: look in \$PATH, \$RUN_DIR of $PROG_NAME)
--proxy <host:port|auto> (experimental) proxy connects via <host:port>, auto: values from \$env (\$http(s)_proxy)
-6 also use IPv6. Works only with supporting OpenSSL version and IPv6 connectivity
-only6 only test IPv6, even if IPv4 is also present
-only4 only test IPv4, even if IPv6 is also present
--ip <ip> a) tests the supplied <ip> v4 or v6 address instead of resolving host(s) in URI
b) arg "one" means: just test the first DNS returns (useful for multiple IPs)
-n, --nodns <min|none> if "none": do not try any DNS lookups, "min" queries A, AAAA and MX records
Expand Down Expand Up @@ -19526,6 +19528,7 @@ HAS_CURVES: $HAS_CURVES
OSSL_SUPPORTED_CURVES: $OSSL_SUPPORTED_CURVES

HAS_IPv6: $HAS_IPv6
HAS_IPv4: $HAS_IPv4
HAS_SSL2: $HAS_SSL2
HAS_SSL3: $HAS_SSL3
HAS_TLS13: $HAS_TLS13
Expand Down Expand Up @@ -20308,29 +20311,36 @@ determine_ip_addresses() {
fi
fi

# IPv6 only address
if [[ -z "$ip4" ]]; then
if "$HAS_IPv6"; then
IPADDRs=$(newline_to_spaces "$ip6")
IP46ADDRs="$IPADDRs" # IP46ADDRs are the ones to display, IPADDRs the ones to test
# construct IPADDRs
if "$HAS_IPv6"; then
if [[ -n "$ip6" ]]; then
if ! [[ -z "$IPADDRs" ]]; then
IPADDRs+=" "
fi
IPADDRs+=$(newline_to_spaces "$ip6")
fi
else
if "$HAS_IPv6" && [[ -n "$ip6" ]]; then
if is_ipv6addr "$CMDLINE_IP"; then
IPADDRs=$(newline_to_spaces "$ip6")
else
IPADDRs=$(newline_to_spaces "$ip4 $ip6")
fi
else
IPADDRs=$(newline_to_spaces "$ip4")
fi
if "$HAS_IPv4"; then
if [[ -n "$ip4" ]]; then
if ! [[ -z "$IPADDRs" ]]; then
IPADDRs+=" "
fi
IPADDRs+=$(newline_to_spaces "$ip4")
fi
fi

if [[ -z "$IPADDRs" ]]; then
if [[ -n "$ip6" ]]; then
fatal "Only IPv6 address(es) for \"$NODE\" available, maybe add \"-6\" to $0" $ERR_DNSLOOKUP
else
if [[ -z "$IP46ADDRs" ]]; then
fatal "No IPv4/IPv6 address(es) for \"$NODE\" available" $ERR_DNSLOOKUP
fi

if [[ -n "$ip6" ]]; then
fatal "Only IPv6 address(es) for \"$NODE\" available but IPv4-only mode specified" $ERR_DNSLOOKUP
fi
if [[ -n "$ip4" ]]; then
fatal "Only IPv4 address(es) for \"$NODE\" available but IPv6-only mode specified" $ERR_DNSLOOKUP
fi

fi
return 0 # IPADDR and IP46ADDR is set now
}
Expand Down Expand Up @@ -22601,6 +22611,18 @@ parse_cmd_line() {
-6) # doesn't work automagically. My versions have -DOPENSSL_USE_IPV6, CentOS/RHEL/FC do not
HAS_IPv6=true
;;
-only6)
HAS_IPv4=false
if ! "$HAS_IPv6"; then
fatal "Options -only6 and -only4 are mutually exclusive"
fi
;;
-only4)
if ! "$HAS_IPv4"; then
fatal "Options -only6 and -only4 are mutually exclusive"
fi
HAS_IPv6=false
;;
--has[-_]dhbits|--has[_-]dh[-_]bits)
# Should work automagically. Helper switch for CentOS,RHEL+FC w openssl server temp key backport (version 1.0.1), see #190
HAS_DH_BITS=true
Expand Down Expand Up @@ -22931,9 +22953,9 @@ lets_roll() {
if ! determine_ip_addresses; then
fatal "No IP address could be determined" $ERR_DNSLOOKUP
fi
if [[ $(count_words "$IPADDRs") -gt 1 ]]; then # we have more than one ipv4 address to check
if [[ $(count_words "$IPADDRs") -gt 1 ]]; then # we have more than one ip address to check
MULTIPLE_CHECKS=true
pr_bold "Testing all IPv4 addresses (port $PORT): "; outln "$IPADDRs"
pr_bold "Testing all IP addresses (port $PORT): "; outln "$IPADDRs"
for ip in $IPADDRs; do
draw_line "-" $((TERM_WIDTH * 2 / 3))
outln
Expand Down